Resources

Selected articles

Offline Autoruns Revisited - Auditing Malware Persistence

Investigating WMI Attacks

Reconnaissance Detection

Investigating PowerShell: Command and Script Logging

Device Profiling with Windows Prefetch

ESE Databases are Dirty!

What is New in Windows Application Execution?

Mo’ Shells Mo’ Problems – Web Server Log Analysis

Getting Started with Linux Memory Forensics

Computer Forensics How-To: Microsoft Log Parser

NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files

OpenSaveMRU and LastVisitedMRU

Finding Registry Malware Persistence with RECmd

Cloud Storage Acquisition from Endpoint Devices

SANS FOR500: Windows Forensic Analysis - Updated for Windows 11 and Beyond

Power Up Memory Forensics with Memory Baseliner

Updated Windows Forensic Analysis Poster

Finding Evil WMI Event Consumers with Disk Forensics

Google Chrome Platform Notifications (LevelDB)

WORKSHOPS

https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395/

Cobalt_Strike_Detection_via_Log_Analysis.pdf

Videos

slides

Cobalt_Strike_Threat_Hunting-Tilbury.pdf

Investigating_WMI_Attacks_Tilbury_2018.pdf

Know_Your_Credentials_2017_Tilbury.pdf

LessonsIncidentResponse_2016_PREZ.pdf

Tracking_Deep_Panda_Web_Shells_2013_Tilbury.pdf

Geolocation_Forensics_2013_Tilbury.pdf

APT_Hiding_in_Plain_Sight_2011_Tilbury.pdf

Report abuse